iOS apps hijack Twitter accounts, post false “confessions” of piracy

Dictionary app maker's move is the very definition of how not to fight theft.

An iOS application developer has come up with an extreme way of fighting software piracy—by auto-posting "confessions" to its users' Twitter accounts.

If you search Twitter for the hashtag #softwarepirateconfession you'll find a stream of tweets stating, "How about we all stop using pirated iOS apps? I promise to stop. I really will. #softwarepirateconfession." There are many dozens of these tweets in the past day alone, all identical. So what's happening? It turns out that Enfour, the maker of a variety of dictionary apps, is auto-posting tweets to users' accounts to shame them for being pirates. But the auto-tweeting seems to be affecting a huge portion of its paid user base, not just those who actually stole the apps.

An apology in Japanese was posted on the Japan-based Enfour's site, listing affected products including more than a dozen English dictionary and thesaurus apps, such as American Heritage, Collins, and Australian Oxford dictionaries. There are another half-dozen or so Japanese language apps affected as well.

Enfour VP of Communications Tracey Northcott also apologized on Twitter. Northcott wrote on November 1 that "The anti-piracy module kicked in today for legitimate users," and she called the problem a "bug" and a "glitch in the anti-piracy measures." She wrote, also on November 1, that an updated version of the apps rushed onto the App Store had fixed the auto-tweet problem. (Whether the "fix" eliminates the auto-tweets entirely or makes it so they only affect people who actually stole the app, she did not say.) She's still doing damage control this week, advising people on Twitter to update to the latest version.

Why did Enfour do it? "Only 25% of our apps in use are legitimate copies. Piracy is threatening the survival of all independent devs," she wrote.

I tested one of the apps and found no problems. However, people are still complaining, and the timing of the complaints suggest either that they are using older versions of the apps or that the promised fix hasn't been fully successful.

You calling me a pirate?

The problem gained wider attention in the past couple of days because of a blog post written by Andreas Ødegård, a user of the "Oxford Deluxe" dictionary app and editor at the tech site Pocketables. He writes in a post on November 10:

I sat down to grade papers for an English class, and loaded up the dictionary app I’ve been using for ages to check a word. I got asked for access to my Twitter account, declined, and was thrown out of the app. Again and again. OK, I thought, apparently some update means the app now requires access—nothing new, apps need location access to access photos, and I don’t plan on sharing any words on Twitter anyways, so why not. I checked my word, went back to grading.

A few minutes later, I get a Twitter notification email about someone replying to my tweet. What tweet? This one:

How about we all stop using pirated iOS apps? I promise to stop. I really will. #Softwarepirateconfession

Ødegård writes that he paid $55 for the app in August 2010, and posted a screenshot of the receipt to prove it. But his iOS device is jailbroken and has Installous, an "app store" that rips off apps from the real Apple App Store and makes them available for free. Ødegård continues:

I have Installous, a jailbreak app for installing pirated apps, installed, but have only ever used it once: When Scanner Pro, which I also legally own, introduced a bug in the app that made the app stop working completely on my device. Installous lets you browse a list of available pirated versions of the app, which also means you can use it to go back to an older version of an app you legally own. This is otherwise impossible in iOS, unlike on Android. Don’t know if there’s a relation there, but I assume so. If I were to guess, I assume the developer got tired of having the $50 app stolen, included a check for Installous, and simply forgot to actually add a method to see if the users had used it for the app in question. Whoops?

While Ødegård suggests the problem is limited to owners of jailbroken iOS devices, others say that's not the case. One commenter on the Pocketables blog post writes that "this has nothing to do with having a jailbroken iPad or iPhone. It is happening to everyone." A commenter on Hacker News reported using Enfour's Longman Dictionary of Contemporary English on a device that is not jailbroken, saying, "The latest version displays 'I'm a software thief' as a notification, says to run the app in safe mode and then crashes."

We've contacted Enfour for further comment but have not heard back yet. As noted, complaints have continued to come in after the application update that was supposed to fix the problem. Enfour's American Heritage Dictionary—4th Edition app was updated last on November 1, but several customer reviews of the current version detail the same complaint about the pirate tweets. On November 2, user Sean O'Brien wrote:

Apparently, even though I paid nearly $25.00 for it, something in the code of this app identified me a owning a pirated copy. It then asked for access to my Twitter account through my iPhone. I gave it access because, it's the American Heritage Dictionary! If any app can be trusted with my Twitter account, it ought to be my expensive dictionary app. But no, it tweeted the following message:

"How about we all stop using pirated iOS apps? I promise to stop. I really will. #softwarepirateconfession"

The App Store on iOS devices can display reviews from either the current version or all versions. Three more users writing on November 3 and November 4 weighed in with similar complaints about the American Heritage app's current version. That Longman app we mentioned above has similar complaints about the current version.

We weren't able to replicate the problem ourselves in the Ars Orbiting HQ. I have a couple of jailbroken iOS devices, so I tried recreating the problem by purchasing the American Heritage Dictionary—4th Edition. The app hasn't asked me to authorize Twitter on either device, and my Twitter account has not been hijacked.

While that suggests Enfour's fix has been at least partially successful, there are enough complaints still floating around to make us wonder if the problem is completely gone. The "confessions" are still rolling in on Twitter.

Enfour's problem exists between keyboard and chair

Enfour can call it a "bug" if it wants, but the bug wasn't just in the implementation—it was in the idea itself. Surely, there are better ways to fight piracy than forcing users to post involuntary "confessions" to their Twitter feeds. But since Enfour was insistent on shaming pirates, they should have tested the system a lot more thoroughly before rolling it out. If you're going to auto-tweet a confession to a user's Twitter account, make sure the confession itself isn't false.

Promoted Comments

As a long time software developer, I believe that company's applications should be pulled and the company banned from the app store. As others have already pointed out, its one thing if you have your application complain to the user or refuse to work if it believes it is not a legitimate copy, however what this group did crosses the line on many different levels and issues.

I still find all these claims of piracy a bit (and by a bit I mean a lot) overstated. 75% piracy? Really? Even for $0.99 cent games.. I don't believe it.

The issue, I think, is the flawed way I've seen many developers say they calculate their piracy %. The first issue is tied to unique devices. So if I buy a game once and put it on an iPod touch, iPhone, and iPad (or 3 Android devices) I've now just individually caused a 66% piracy rate (2 out of 3 are "pirated").

The second issue has to deal with fabricating lost sales in regions you don't actually sell your game in. Let's take China, where your game might not be available at all yet people want to play it - they're going to get it on their device. Now, you didn't lose a single sale to China because you weren't selling there, but you're lumping in all the devices that it's on anyway, just to be more dramatic.

These numbers have to be suspect, especially when we hear claims like 70-80% of all copies even on iOS are pirated. Jailbreaking and Rooting are NOT the norm and as long as these companies use flawed numbers to try to get people riled up, I'm going to ignore their whining. And when they do something like this article is talking about, which is showing just how stupid and bad of a developer they really are, I'll gladly ignore their product altogether.

Another reason social networking privacy is an issue for everyone. No 'command and control' needs to be given over to Facebook/Google apps or others, and this becomes a non-issue.

The trouble is, our loose regulation environment encourages craptastic behavior because of 'free markets' and 'free speech' - not for consumers, but for Google, Facebook and thousands of other businesses that hide their unethical behavior behind 'free speech' rights.

Did this guy not witness the failure of DRM in the music, movie, and video game industries? How did he think that this was going to end up working any better? All he's done is ensured that future pirates will start checking for auto-tweeting code and patching these out of their versions.

Jailbreaking (and Installous) are mostly used for piracy, and educating users is the first step towards fixing the problem.

I hope you meant specifically "using both jailbreaking and Installous", which would at least be plausible. If you were including jailbreaking alone however then I think you are completely (and irritatingly) wrong. Jailbreaking, at least for some of us, makes iOS phenomenally more useful, to the point where I won't use an iOS device without it. It's not about the money either, quite the opposite in fact as many great pieces of software on Cydia are commercial.

As a long time software developer, I believe that company's applications should be pulled and the company banned from the app store. As others have already pointed out, its one thing if you have your application complain to the user or refuse to work if it believes it is not a legitimate copy, however what this group did crosses the line on many different levels and issues.

17.1Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used

I think it's pretty easy to say that this comes under that.

Well to be fair, it did obtain permission when it asked for twitter access...

That's exactly what I was thinking. The app asked for permission and you said, "ok."

The same thing happens with UAC messages in windows all the time. People get bothered by the 99% of messages that really don't mean anything to them but then that 1% of the time they run something malicious they didn't care to read about.

Jailbreaking (and Installous) are mostly used for piracy, and educating users is the first step towards fixing the problem.

I hope you meant specifically "using both jailbreaking and Installous", which would at least be plausible. If you were including jailbreaking alone however then I think you are completely (and irritatingly) wrong.

It's a typical argument I see among iOS devs and iOS fans. They attack jailbreaking as if no one could possibly have a reason for doing so. I've been fervently attacked on Ars for suggesting that there were uses for jailbreaking other than piracy.

It's probably one of the more insulting arguments I've ever seen posted, particularly on Ars.

Jailbreaking (and Installous) are mostly used for piracy, and educating users is the first step towards fixing the problem.

I hope you meant specifically "using both jailbreaking and Installous", which would at least be plausible. If you were including jailbreaking alone however then I think you are completely (and irritatingly) wrong. Jailbreaking, at least for some of us, makes iOS phenomenally more useful, to the point where I won't use an iOS device without it. It's not about the money either, quite the opposite in fact as many great pieces of software on Cydia are commercial.

17.1Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used

I think it's pretty easy to say that this comes under that.

Well to be fair, it did obtain permission when it asked for twitter access...

I'm sure such misuse by the app dev was not contemplated by apple when they wrote this clause. May meet the letter of the law but sure violates the spirit of it. I don't condone any kind of piracy, but think the app dev went too far here (and possibly has opened themselves up to legal action.)

Chances are that Apple wasn't even aware of this "feature". I seriously doubt the application developer went and told Apple "Oh, by the way, if it detects that the phone is jailbroken and has something like Installous installed on it then the app is going to start hijacking the users twitter account". Unless Apple did a lot of arcane testing of apps they likely would never have realized this "feature" existed.

17.1Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used

I think it's pretty easy to say that this comes under that.

Well to be fair, it did obtain permission when it asked for twitter access...

That's exactly what I was thinking. The app asked for permission and you said, "ok."

The app failed to "provid[e] the user with access to information about how... the data will be used." There have been almost countless complaints about apps which gain access to a user's contacts and merrily transmit that information back to the author for undisclosed marketing uses or the like. But here, because a user clicked OK on an apparently mandatory Twitter permission, anything that that the app posts to Twitter as the user is fair game?

Setting aside the piracy issue, is the requirement that the app be provided with access to Twitter (apparent requirement -- it's not clear what happens if you did not link iOS to a Twitter account in the first place) in order to merely use the app disclosed to the purchaser? Why should a dictionary app be provided with access to Twitter? Are users refunded their purchase price if they refuse to give that permission?

I generally attempt to lock down iOS app permissions to the extent that I am able. No location services unless I have a use for them in the app, no FaceBook account linked to the phone, no Twitter account (not that I have one) linked to the phone, oodles of notifications disabled, etc. I could see purchasing this app and becoming very disgruntled by the basic fact that it does not work as advertised. The false proclamations that a user is a pirate is merely the cherry on top.

This doesn't solve the core problem, but, I'm still hoping for a way to pretend to give all sorts of permissions without actually giving them. Apps have no business demanding those permissions and holding themselves hostage until you give in - I need a way to tell them "yea you have this permission" so it starts doing what it's supposed to do, but of course without actually enabling it to do the thing it asked permission for.

Jailbreaking (and Installous) are mostly used for piracy, and educating users is the first step towards fixing the problem.

I hope you meant specifically "using both jailbreaking and Installous", which would at least be plausible. If you were including jailbreaking alone however then I think you are completely (and irritatingly) wrong. Jailbreaking, at least for some of us, makes iOS phenomenally more useful, to the point where I won't use an iOS device without it. It's not about the money either, quite the opposite in fact as many great pieces of software on Cydia are commercial.

Installous also has apps that have been removed from the App Store for silly reasons (Duplicating functionality!) that the developers didn't bother putting on Cydia.